HIPAA Risk Assessments

As a law firm dedicated to serving the needs of the health care industry, Epstein Becker Green uses its vast experience in privacy and security matters to help clients meet Health Insurance Portability and Accountability Act (HIPAA) requirements related to conducting risk analyses.

Our Privacy & Security Group includes industry-recognized privacy and security professionals who blend their top-notch privacy proficiency with security services and computer security experience to provide effective counseling on federal and state laws governing health information privacy and security. For example, our Privacy & Security Group regularly provides counseling on:

  • conducting robust assessments of administrative, physical, and technical safeguards around protected health information;
  • mitigating risks; and
  • developing documentation of a defensible security program.

HIPAA requires that all covered entities and business associates “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” As a result, entities must go through a formal process to identify risks, assess risks levels, and implement a strategy to address risks in a prioritized manner.

HIPAA Risk AssessmentsTo meet HIPAA’s requirements, Epstein Becker Green’s risk analysis process employs the following paradigm:

  1. Identify the scope of the risk analysis, including systems and processes.
  2. Identify and document potential threats and vulnerabilities to in-scope systems and processes.
  3. Assess the adequacy of current security controls.
  4. Determine the likelihood of threat occurrence.
  5. Determine the potential impact of threat occurrence.
  6. Determine the level of risk.
  7. Identify additional security measures to mitigate risks to an acceptable level.
  8. Monitor the progress of mitigation.